At midnight on June 6, the UK government ended its consultation with the device manufacturers, services providers, app developers, retailers and third party experts it had tapped for insights about consumer IoT security. It is now up to the government to make a decision on which measures to take forward into legislation.
At this point, the UK government is seeking to ensure:
- All IoT device passwords shall be unique and shall not be resettable to any universal factory default value
- The manufacturer shall provide a public point of contact as part of a vulnerability disclosure policy in order that security researchers and others are able to report issues
- Manufacturers will explicitly state the minimum length of time for which the product will receive security updates.
Entrust’s John Grimm, Sr. Director Strategy and Business Development, shared his thoughts on the consultation:
“Over time, the IoT has become the lynchpin of almost every single digital initiative and interaction. Consumers and businesses are discovering and benefiting from the opportunities it provides each day.
Yet, IoT devices have also become one of the most vulnerable entry points for attackers. The IoT exposes consumers and businesses to new security vulnerabilities due to its increased network connectivity and the devices within it not being secured by design. It is so vast and complex that finding data protection solutions which can span across the entire network, providing scalable encryption key management and not impeding data analytics can be a serious challenge.
By encouraging ‘Security by Design’, handing greater accountability to device manufacturers and introducing a new labelling system to indicate the presence of basic security features, the consultation signals a positive step in the right direction. However, some of the recommendations are dependent on variable factors – for example a user may choose a weak password to replace the default, or a manufacturer may go out of business and stop delivering security updates to its devices.
In addition, the industry still must take further steps to ensure that information collected by devices can be encrypted, and that digital signing is used to ensure the authenticity of software updates and to help prevent the introduction of malware. There is also room for greater transparency around the software and hardware used in a given product, so that the impact of discovered vulnerabilities (which are inevitable) can be fully assessed for risk.
Overall, it is positive to see the government consulting widely and thoughtfully on these issues, taking steps to protect both businesses and consumers from the offset, giving them the information and transparency needed to make informed buying decisions. After all, when it comes to cybersecurity prevention is always better than a cure.